Исходное сообщение
"Не ходит трафик через VPN" Отправлено motok, 20-Июн-18 17:15
> ;) aaa new-model ! ! aaa authentication login USER-EVPN local aaa authorization network GROUP-EVPN local ! ! ! ! ! aaa session-id common ! memory-size iomem 10 clock timezone PCTime 3 0 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 crypto pki token default removal timeout 0 ! crypto pki trustpoint TP-self-signed-3162754647 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3162754647 revocation-check none rsakeypair TP-self-signed-3162754647 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! ! crypto pki certificate chain TP-self-signed-3162754647 certificate self-signed 01   3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030         quit crypto pki certificate chain test_trustpoint_config_created_for_sdm no ip source-route ! ! ! ip vrf MyRouter ! ! ! ip cef ip flow-cache timeout active 1 no ipv6 cef ! ! multilink bundle-name authenticated license udi pid CISCO881-PCI-K9 sn FCZ16 license boot module c880-data level advipservices ! ! username 1 privilege 15 view root secret 4 WIt8jvB9k8OmgaoqfrYwU//PXImqYGmcAxH9SvUrP.Q username 2 privilege 15 view root secret 4 Al8uww7VpZFUTM/RUP.HMrmnPkjI38WOgymMWl8y/QY username VPN password 0 12345678 ! ! ! ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group VPN-GROUP key ********** dns 192.168.3.4 wins 192.168.3.4 pool VPN-POOL acl 120 save-password crypto isakmp profile VPN-CLIENT    match identity group VPN-GROUP    client authentication list USER-VPN    isakmp authorization list GROUP-VPN    client configuration address respond    virtual-template 1 !! crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac ! crypto ipsec profile test-vti1 set transform-set VTI-TS ! interface FastEthernet0 no ip address ! interface FastEthernet1 switchport access vlan 2 no ip address shutdown ! interface FastEthernet2 no ip address ! interface FastEthernet3 no ip address ! interface FastEthernet4 description Internet$ETH-WAN$ ip address 81.*.*.* 255.255.255.248 ip broadcast-address 0.0.0.0 ip access-group dostup-rdp in ip nat outside ip virtual-reassembly in duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered FastEthernet4 ip broadcast-address 0.0.0.0 ip virtual-reassembly in tunnel mode ipsec ipv4 tunnel protection ipsec profile test-vti1 ! interface Vlan1 description Lan$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ ip address 192.168.3.3 255.255.0.0 ip broadcast-address 0.0.0.0 ip flow ingress ip flow egress ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1360 ! interface Vlan2 description second_int ip address 192.168.6.2 255.255.255.0 ip broadcast-address 0.0.0.0 ip nat outside ip nat enable ip virtual-reassembly in shutdown ! ip local pool VPN-POOL 192.168.3.80 192.168.3.99 ip forward-protocol nd ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip flow-export version 5 ip flow-export destination 192.168.3.7 9996 ! ip nat sip-sbc no ip nat service sip udp port 5060 ip nat inside source static tcp 192.168.3.8 3389 interface FastEthernet4 3154 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ip route 0.0.0.0 0.0.0.0 81.*.*.* ! ip access-list extended dostup-rdp remark Ivlev permit tcp 109.*.*.0 0.0.0.255 host 81.*.*.* eq 3154 deny   tcp any host 81.*.*.* eq 3154 permit ip any any ! no logging trap access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark CCP_ACL Category=2 access-list 1 permit 192.168.3.0 0.0.0.255 access-list 23 remark CCP_ACL Category=17 access-list 23 permit 192.168.3.0 0.0.0.255 access-list 100 remark CCP_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 103 remark CCP_ACL Category=4 access-list 104 deny   ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 access-list 104 permit ip 192.168.3.0 0.0.0.255 any access-list 120 permit ip 192.168.3.0 0.0.0.255 any access-list 170 permit esp any any access-list 170 permit udp any any eq isakmp access-list 170 permit udp any any eq non500-isakmp no cdp run ! ! ! ! route-map SDM_RMAP_1 permit 1 match ip address 104 match interface FastEthernet4 ! snmp-server community public RO snmp-server ifindex persist snmp-server host 192.168.3.7 public ! ! ! control-plane !

Ваше сообщение
Имя*:
EMail:	Для отправки новых сообщений в текущей нити на email укажите знак ! перед адресом, например, !user@host.ru (!! - не показывать email). Более тонкая настройка отправки ответов производится в профиле зарегистрированного участника форума.
Заголовок*:
Сообщение*:	>> ;) > aaa new-model > ! > ! > aaa authentication login USER-EVPN local > aaa authorization network GROUP-EVPN local > ! > ! > ! > ! > ! > aaa session-id common > ! > memory-size iomem 10 > clock timezone PCTime 3 0 > clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 > crypto pki token default removal timeout 0 > ! > crypto pki trustpoint TP-self-signed-3162754647 > enrollment selfsigned > subject-name cn=IOS-Self-Signed-Certificate-3162754647 > revocation-check none > rsakeypair TP-self-signed-3162754647 > ! > crypto pki trustpoint test_trustpoint_config_created_for_sdm > subject-name e=sdmtest@sdmtest.com > revocation-check crl > ! > ! > crypto pki certificate chain TP-self-signed-3162754647 > certificate self-signed 01 > 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 > quit > crypto pki certificate chain test_trustpoint_config_created_for_sdm > no ip source-route > ! > ! > ! > ip vrf MyRouter > ! > ! > ! > ip cef > ip flow-cache timeout active 1 > no ipv6 cef > ! > ! > multilink bundle-name authenticated > license udi pid CISCO881-PCI-K9 sn FCZ16 > license boot module c880-data level advipservices > ! > ! > username 1 privilege 15 view root secret 4 WIt8jvB9k8OmgaoqfrYwU//PXImqYGmcAxH9SvUrP.Q > username 2 privilege 15 view root secret 4 Al8uww7VpZFUTM/RUP.HMrmnPkjI38WOgymMWl8y/QY > username VPN password 0 12345678 > ! > ! > ! > ! > ! > ! > crypto isakmp policy 10 > encr 3des > authentication pre-share > group 2 > ! > crypto isakmp client configuration group VPN-GROUP > key ********** > dns 192.168.3.4 > wins 192.168.3.4 > pool VPN-POOL > acl 120 > save-password > crypto isakmp profile VPN-CLIENT > match identity group VPN-GROUP > client authentication list USER-VPN > isakmp authorization list GROUP-VPN > client configuration address respond > virtual-template 1 > !! > crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac > ! > crypto ipsec profile test-vti1 > set transform-set VTI-TS > ! > interface FastEthernet0 > no ip address > ! > interface FastEthernet1 > switchport access vlan 2 > no ip address > shutdown > ! > interface FastEthernet2 > no ip address > ! > interface FastEthernet3 > no ip address > ! > interface FastEthernet4 > description Internet$ETH-WAN$ > ip address 81.*.*.* 255.255.255.248 > ip broadcast-address 0.0.0.0 > ip access-group dostup-rdp in > ip nat outside > ip virtual-reassembly in > duplex auto > speed auto > ! > interface Virtual-Template1 type tunnel > ip unnumbered FastEthernet4 > ip broadcast-address 0.0.0.0 > ip virtual-reassembly in > tunnel mode ipsec ipv4 > tunnel protection ipsec profile test-vti1 > ! > interface Vlan1 > description Lan$ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$ > ip address 192.168.3.3 255.255.0.0 > ip broadcast-address 0.0.0.0 > ip flow ingress > ip flow egress > ip nat inside > ip virtual-reassembly in > ip tcp adjust-mss 1360 > ! > interface Vlan2 > description second_int > ip address 192.168.6.2 255.255.255.0 > ip broadcast-address 0.0.0.0 > ip nat outside > ip nat enable > ip virtual-reassembly in > shutdown > ! > ip local pool VPN-POOL 192.168.3.80 192.168.3.99 > ip forward-protocol nd > ip http server > ip http access-class 23 > ip http authentication local > ip http secure-server > ip http timeout-policy idle 60 life 86400 requests 10000 > ! > ip flow-export version 5 > ip flow-export destination 192.168.3.7 9996 > ! > ip nat sip-sbc > no ip nat service sip udp port 5060 > ip nat inside source static tcp 192.168.3.8 3389 interface FastEthernet4 3154 > ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload > ip route 0.0.0.0 0.0.0.0 81.*.*.* > ! > ip access-list extended dostup-rdp > remark Ivlev > permit tcp 109.*.*.0 0.0.0.255 host 81.*.*.* eq 3154 > deny tcp any host 81.*.*.* eq 3154 > permit ip any any > ! > no logging trap > access-list 1 remark INSIDE_IF=Vlan1 > access-list 1 remark CCP_ACL Category=2 > access-list 1 permit 192.168.3.0 0.0.0.255 > access-list 23 remark CCP_ACL Category=17 > access-list 23 permit 192.168.3.0 0.0.0.255 > access-list 100 remark CCP_ACL Category=4 > access-list 100 remark IPSec Rule > access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255 > access-list 103 remark CCP_ACL Category=4 > access-list 104 deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 > access-list 104 permit ip 192.168.3.0 0.0.0.255 any > access-list 120 permit ip 192.168.3.0 0.0.0.255 any > access-list 170 permit esp any any > access-list 170 permit udp any any eq isakmp > access-list 170 permit udp any any eq non500-isakmp > no cdp run > ! > ! > ! > ! > route-map SDM_RMAP_1 permit 1 > match ip address 104 > match interface FastEthernet4 > ! > snmp-server community public RO > snmp-server ifindex persist > snmp-server host 192.168.3.7 public > ! > ! > ! > control-plane > !
	Введите код, изображенный на картинке: